2026-06-02 13:52:54 +00:00
5 changed files with 14 additions and 14 deletions
@@ -32,7 +32,7 @@ workspace has:
 - An optional **parent** (forms the org tree)
 - An optional **workspace_dir** (a host path bind-mounted into the
  container — gives the agent direct access to your codebase)
- An optional **budget_limit** (workspace-level spend cap — see [Workspace budgets](#workspace-budgets) below)
+- An optional **budget_limit** (workspace-level spend cap via `budget_limit`)

 Workspaces talk to each other via **A2A** (agent-to-agent) messages, routed
 by the platform. Communication rules: same workspace, siblings, and
@@ -10,7 +10,7 @@ versions.

 > **Note:** Molecule AI does not ship a hosted skill marketplace. All
 > skills are installed from local packages, GitHub URLs, or community
-> bundles. See [Skill Lifecycle](#lifecycle) for how to publish and
+> bundles. See [Skill Lifecycle](#skill-lifecycle) for how to publish and
 > distribute skills within your org.

 ## Available Skill Types
@@ -343,7 +343,7 @@ If you are routing a Gemini model through a key that triggers the compat shim (e
 ## See also

 - [Concepts — Workspaces](/docs/concepts#workspaces)
- [API Reference — POST /workspaces](/docs/api-reference#post-workspaces)
+- [API Reference — POST /workspaces](/docs/api-reference#workspaces)
 - [Google ADK Runtime](/docs/google-adk) — Gemini-native alternative to Hermes for ADK-first workflows
 - PR #240: [Phase 2a — native Anthropic dispatch](https://git.moleculesai.app/molecule-ai/molecule-core/pull/240)
 - PR #255: [Phase 2b — native Gemini dispatch](https://git.moleculesai.app/molecule-ai/molecule-core/pull/255)
@@ -35,7 +35,7 @@ shipped — not the roadmap or planned features.

 ---

-## A01 — Prompt Injection ✅ COVERED
+## A01: Prompt Injection

 **Risk:** An attacker embeds malicious instructions in external data (files, web
 content, user messages) that the agent treats as authoritative commands.
@@ -60,7 +60,7 @@ responsibility of the agent's own prompt engineering and the LLM's alignment.

 ---

-## A02 — Sensitive Information Disclosure ✅ COVERED
+## A02: Sensitive Information Disclosure

 **Risk:** An agent exposes confidential data — credentials, PII, internal
 documents — through tool calls, logs, or responses.
@@ -89,7 +89,7 @@ exposed and the LLM's instruction following.

 ---

-## A03 — Unbounded Resource Consumption ✅ COVERED
+## A03: Unbounded Resource Consumption

 **Risk:** An agent makes excessive LLM calls, processes unbounded data, or holds
 memory in a loop, causing cost overruns or DoS.
@@ -116,7 +116,7 @@ for unusual activity patterns.

 ---

-## A04 — Sandboxing Escapes ⚠️ PARTIAL
+## A04: Sandboxing Escapes

 **Risk:** An agent escapes the container sandbox and accesses the host system,
 neighboring containers, or the internal network.
@@ -145,7 +145,7 @@ egress filtering at the Docker host or Kubernetes network policy level.

 ---

-## A05 — Agent-Human Relationship Dysfunction ⚠️ PARTIAL
+## A05: Agent-Human Relationship Dysfunction

 **Risk:** The human operator loses meaningful oversight of agent actions — the
 agent acts without notification, makes irreversible decisions, or misrepresents
@@ -179,7 +179,7 @@ points. Monitor Langfuse for silent agent activity.

 ---

-## A06 — Memory Poisoning ✅ COVERED
+## A06: Memory Poisoning

 **Risk:** An attacker manipulates the agent's memory store to inject malicious
 instructions or biases that the agent reads back and acts on.
@@ -204,7 +204,7 @@ not a platform-level control.

 ---

-## A07 — Cascade Hallucinations ✅ COVERED
+## A07: Cascade Hallucinations

 **Risk:** An agent generates incorrect outputs that are fed downstream as
 ground-truth, compounding errors across multiple agent calls or tool chains.
@@ -230,7 +230,7 @@ possible, and review traces for signs of cascade errors.

 ---

-## A08 — Overreliance ⚠️ PARTIAL
+## A08: Overreliance

 **Risk:** Users or automated systems trust an agent's outputs without adequate
 verification, leading to harmful decisions based on incorrect agent outputs.
@@ -265,7 +265,7 @@ agent outputs.

 ---

-## A09 — Supply Chain Vulnerabilities ❌ NOT COVERED
+## A09: Supply Chain Vulnerabilities

 **Risk:** Vulnerable or malicious dependencies in the agent toolchain — workspace
 runtime packages, plugins, adapter libraries, or LLM provider SDKs.
@@ -293,7 +293,7 @@ supply chain and is not specifically addressed by the platform at this time.

 ---

-## A10 — Improper Agency Grants ❌ NOT COVERED
+## A10: Improper Agency Grants

 **Risk:** An agent is granted more agency (capability to take actions, access
 resources, make changes) than it needs — creating blast radius if the agent is
@@ -168,5 +168,5 @@ This header is added automatically by the workspace executor when `task_budget >
 - [Concepts — Workspaces](/docs/concepts#workspaces) — workspace primitives overview
 - [Org Template](/docs/org-template) — deploy effort/task_budget settings across an entire team via `org.yaml`
 - [Observability](/docs/observability) — monitor token usage per workspace to tune your budget settings
- [API Reference — POST /workspaces](/docs/api-reference#post-workspaces)
+- [API Reference — POST /workspaces](/docs/api-reference#workspaces)
 - [Claude Opus 4.7 — Anthropic docs](https://platform.claude.com/docs/) — upstream reference for `output_config`